STATE OF NORTH CAROLINA
PERFORMANCE AUDIT
DEPARTMENT OF HEALTH AND HUMAN SERVICES – OFFICE OF MEDICAID MANAGEMENT INFORMATION SYSTEM SERVICES
REPLACEMENT MMIS IMPLEMENTATION
JANUARY 2012
OFFICE OF THE STATE AUDITOR
BETH A.WOOD, CPA
STATE AUDITORPERFORMANCE AUDIT
DEPARTMENT OF HEALTH AND HUMAN SERVICES – OFFICE OF MEDICAID MANAGEMENT INFORMATION SYSTEM SERVICES
REPLACEMENT MMIS IMPLEMENTATION
JANUARY 2012Beth A. Wood, CPA
State Auditor
STATE OF NORTH CAROLINA
Office of the State Auditor
2 S. Salisbury Street
20601 Mail Service Center
Raleigh, NC 27699-0601
Telephone: (919) 807-7500
Fax: (919) 807-7647
Internet
http://www.ncauditor.net
January 10, 2012
The Honorable Beverly Perdue, Governor Members of the North Carolina General Assembly Lanier M. Cansler, Secretary, Department of Health and Human Services
Angeline Sligh, Director, Office of Medicaid Management Information System Services
Ladies and Gentlemen:
We are pleased to submit this performance audit titled “Department of Health and Human Services – Office of Medicaid Management Information System Services, Replacement MMIS Implementation.” The audit objective was to determine if the Office of Medicaid Management Information System Services established controls to provide reasonable assurance that the replacement Medicaid Management Information System project would be fully implemented on time and on budget, after considering required federal and state mandated changes. Secretary Cansler reviewed a draft copy of this report. His written comments are included in the appendix.
The Office of the State Auditor initiated this audit to identify improvement opportunities for the procurement and oversight of the Medicaid Management Information System implementation project.
We wish to express our appreciation to the staff of the Office of Medicaid Management Information System Services for the courtesy, cooperation, and assistance provided us during the audit.
Respectfully submitted,
Beth A. Wood, CPA State Auditor TABLE OF CONTENTS
PAGE
SUMMARY................................................................................................................................2
INTRODUCTION
BACKGROUND..................................................................................................................4
OBJECTIVES, SCOPE, AND METHODOLOGY......................................................................5
FINDINGS AND RECOMMENDATIONS..........................................................................................6
APPENDIX
AUDITOR’S RESPONSE...................................................................................................14
DEPARTMENT RESPONSE...............................................................................................17
ORDERING INFORMATION........................................................................................................49 PERFORMANCE AUDIT
SUMMARY
PURPOSE
This audit report evaluates whether the Department of Health and Human Services (Department) - Office of Medicaid Management Information System Services’ (Office) established controls to provide reasonable assurance that the replacement Medicaid Management Information System project would be fully implemented on time and on budget, after considering required federal and State mandated changes. The report makes recommendations so Department and Office management can take appropriate corrective action.
RESULTS
Management lacks documentation that clearly explains the evaluations and decisions that impact the implementation of the Medicaid Management Information System.
The Medicaid Management Information System is expected to be completed about 22 months late with total overall costs exceeding estimates by $320.3 million. The reasons for the costs changes include schedule delays, federal and state mandates, and two additional years of operations that the Office contracted for with the Vendor.
The Office did not fully document its analysis of the impact that schedule delays had on the system implementation. The system has experienced delays for three reasons. First, the Vendors planned use 73% of the programming code from its New York system project to build North Carolina’s system, and later found that it could only use about 32% of the code. Second, the Vendor experienced higher than expected staff turnover. And third, the length of time taken to review and approve project designs and deliverables exceeded budgeted amounts. Office management contends that only six months of delay in the replacement system go-live date is attributable to “schedule-slippage” or delays. However, the Office did not document its analysis or the reasoning used to determine the impact of the delays on the project.
Also, the Department and Office did not fully document how it determined the amount of damages for which the vendor was responsible. The contract did not define how responsibility for delays would be determined or how damages would be calculated. As a result, the Office found it necessary to negotiate the damage assessment with the Vendor. The Office required the Vendor to perform an analysis to determine how much of the 22-month implementation delay was due to “schedule slippage.” Office management said it performed “deep analysis” of the Vendor prepared schedules. However, the Office did not fully document its reasoning and analysis for determining the damages. The Office then negotiated with the Vendor to determine how much of the slippage was caused by the Vendor. The Office agreed upon four months of damages. The Office assessed the Vendor $10 million based on estimated damages. The Office also amended the contract so that neither party can obtain additional damages if those estimates later prove to be incorrect.
2
PERFORMANCE AUDIT
3
Lastly, the Office did not timely identify about $30.4 million of changes that the Vendor made to the design, development, and integration phase of the replacement Medicaid Management Information System project. Because the Office’s monitoring procedures did not identify the unauthorized changes, the Office was not aware that the design of the system being built differed from the system that had been approved. In fact, the Department was not aware of some of the changes for more than a year after the changes were made. The Office refused to pay for some of the changes and accepted others. The Office negotiated a price of $15 million for the changes it accepted.
RECOMMENDATIONS
The Department and Office should clearly document the reasoning and analysis used to determine and manage the effect of delays on the project.
The Department and Office should document its methodology and reasoning in determining how penalties were assessed on vendors. The Department and Office should also retain all documentation used to plan and conduct negotiations with vendors.
The Department and Office should ensure that monitoring procedures are effective for identifying deviations from the project plan. For efficiency, management could establish, document, and communicate to the vendor types of changes that the vendor can make without prior approval.
AGENCY’S RESPONSE
The Agency’s response is included in the appendix. PERFORMANCE AUDIT
INTRODUCTION
BACKGROUND
North Carolina currently contracts with Hewlett Packard Enterprise Services to operate the State’s Medicaid Management Information System and process Medicaid claims payments. The computer system that the Department of Health and Human Services (Department) uses processes and pays over $10 billion a year in health care claims for about 1.5 million Medicaid program participants. North Carolina purchased the current system from Electronic Data Systems in 1988.
In April 2004, the Department awarded a $171 million contract to Affiliated Computer Services (ACS) to replace the existing system and serve as the new fiscal agent for the State’s Medicaid Program. The Department also created the North Carolina Office of Medicaid Management Information System Services (Office) to provide oversight and manage activities for the procurement and implementation of support systems and services for the replacement System.
ACS did not perform in accordance with the contract. ACS was to complete the design, development, and installation phase of the contract by the summer of 2006. In March 2006, the Department granted a request to extend the completion date to August 2007. However, the Department denied a second ACS request to increase the contract cost and extend the design, development, and installation phase completion date to November 2007. After paying about $5.6 million in project costs, the Department terminated the ACS contract in July 2006. In response, ACS filed a wrongful termination and breach of contract lawsuit against the State. The civil court case was settled in January 2007 at an additional cost of $10.5 million to the State. In the settlement, ACS also agreed to install a suite of software to help the state’s Medicaid program generate savings.
In 2009, the Department began its second attempt at replacing the system. The Department awarded a $265 million contract to Computer Science Services, Inc (Vendor) in January 2009. The contract established a fully-implemented go-live date of August 2011 for the new system. However, in July 2010 the Vendor notified the Department that the Vendor would not be able to meet the established go-live date and requested an extension. After lengthy negotiations, the Department approved a contract amendment in July 2011 that granted an 18-22 month extension to build the system, increased contract price from $265 million to $494 million (86%), and extended the operational contract an additional two years.
The federal government is expected to fund up to 90% of the design, development, and installation cost for the new system.
4
PERFORMANCE AUDIT
OBJECTIVES, SCOPE, AND METHODOLOGY
The audit objective was to determine if the Office of Medicaid Management Information System Services (Office) has established controls that provide reasonable assurance that the replacement Medicaid Management Information System project would be fully implemented on time and on budget, after considering required federal and state mandated changes.
The Office of the State Auditor initiated this audit to identify improvement opportunities for the procurement and oversight of the system implementation project.
The audit scope included a review of project management practices and vendor contract information surrounding the current system replacement effort beginning January 1, 2009 through July 31, 2011. We conducted the fieldwork from February 2011 to December 2011.
To determine current management practices, we conducted interviews with Department of Health and Human Services (Department) and Office management, reviewed policies and procedures related to the replacement system project management, and reviewed Department and Office management meeting minutes.
To evaluate management controls, we compared Office project management practices to recommended best practices issued by the Project Management Institute and the IT Governance Institute.
Because of the test nature and other inherent limitations of an audit, together with limitations of any system of internal and management controls, this audit would not necessarily disclose all performance weaknesses or lack of compliance.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
We conducted this audit under the authority vested in the State Auditor of North Carolina by North Carolina General Statute 147.64.
5
FINDINGS AND RECOMMENDATIONS
1. IMPACT OF DELAYS NOT FULLY DOCUMENTED
The Office of Medicaid Management Information System Services (Office) at the North Carolina Department of Health and Human Services (Department) did not fully document its analysis of the impact that schedule delays had on the system implementation.
Schedule Delays
The Office and the Computer Sciences Corporation (Vendor) described three sources of schedule delays that impacted the system implementation.
One source of project delay was the Vendor’s planned use 73% of the programming code from its New York system project to build North Carolina’s system. In January 2009, the Vendor was awarded the contract and began work on North Carolina’s system. In June 2010, the Vendor found that it could only use about 32% of the code from the New York project for North Carolina. Consequently, unplanned additional time and labor is necessary to complete North Carolina’s system.
In a March 10, 2011, interview, the current State CIO said he would never have allowed the proposal to be accepted based on the estimated percentage of usable code. The State CIO said that he had experience with other information technology vendors making similar estimates and not being able to deliver.
The Office accepted the Vendor’s proposed use of 73% of the New York project code without documenting any independent analysis that indicates the proposal was reasonable. Department management said it was not possible to determine whether the Vendor could use the New York project programming code until after the system was designed and programming was started. Furthermore, Department management said that the additional programming time and labor needed to complete the system does not cost the State anything because the State has a fixed cost contract.
A second source of project delay was higher than expected Vendor staff turnover. The risk of high staff turnover and planned mitigation actions were listed in the Vendor’s proposal. The risk of high staff turnover was also documented in the project risk register1 on May 2, 2009. The vendor reported high staff turnover to the project oversight committee beginning in April 2010. However, the staff turnover risk was not transferred to the issue register and actions taken to address the issue until Oct
A third source of project delay was the length of time taken to review and approve project designs and deliverables. The Vendor and the Office stated that review and approval process sometimes exceeded the two cycles of review that were budgeted. Vendor personnel stated the review process resulted in numerous cycles of technical design and development being performed. Additionally, Office personnel stated that the Vendor
1 Risks are listed in the projects risk register. When events occur and the risks are realized, the risks become issues and are documented in the issue register.
6
FINDINGS AND RECOMMENDATIONS
wanted to meet its deliverable due date, so it would sometimes submit deliverables that were not complete. Office personnel said this added more review tim
Office documentation shows that on average, the deliverables required review and approval process took about 2.1 cycles. However, analysis of the docum
The project delays not only extended the amount of time needed to complete the system, they resulted in additional costs to the State. Extending the project schedule requires the State to continue using the legacy system. As a result, the State incurs additional cost because the legacy system’s opera
For example, the State will incur $90.6 million in unplanned additional costs during a 22 month contract extension to modify the legacy system, operate the legacy system, and keep the Office operational. These costs would have be
Currently, the replacement system is expected to be completed about 22 m
The new system’s c
to $494.9 million. Office management contends that only $67 million of the $229.7 million in additional contract costs and only six months of the 22-month delay in the replacement system go-live date is attributable to “schedule-slippage” or delays. The conclusions are based on schedules and analysis that the Office asked the Vendor to prepare
said that it performed “deep analysis” of the Vendor’s schedules. However, the Office did not document its independent analysis or document
reasoning used to determine the impact of the delays described above on the project. The reasoning and analysis are needed to accurately separate the impact of the schedule delays from the impact of federal and state mandates and other changes to the system. For example, the Center for Medicare and Medicaid Services (CMS) published proposals for two new major Medicaid regulations (ICD-10 and 5010) in August 2008, just four months before the Department awarded the System contract to CMS. Other cost changes
7
FINDINGS AND RECOMMENDATIONS
Change In Costs
A breakdown of the additional costs totaling $320.3 million is listed in Table 1 below.
Table 1
Original EstimateAdditonal CostsNew Estimate Legacy System:Cost Difference Between Current And New Vendor Operations Contracts-$ 37.2$ 37.2$ Application for New Federal Mandates- 2.3 2.3 Application for Mental Health Claims Payments- 10.3 10.3 Application for NC Health Choice- 7.0 7.0 Application for Nursing Homes- 4.7 4.7 Other Legacy Component Costs- 29.1 29.1 Total Additional Legacy Operational Costs-$ 90.6$ 90.6$ New System:System Design and Build phase68.8$ 77.8$ 146.6$ New Federal Mandates- 33.2 33.2 Operations Phase180.5 71.3 251.8 Application for New Federal Health Reform- 15.3 15.3 Application for Provider Enrollment10.7 11.4 22.1 Application for Prescription Drug Use Review4.7 2.9 7.6 Turnover Phase0.5 - 0.5 Other System Enhancements and Changes- 17.8 17.8 Total Additional Project Costs265.2$ 229.7$ 494.9$ Total Change in Costs265.2$ 320.3$ 585.5$ Change in Project Costs(in millions)Source: Vendor original and amended contract pricing Table Z, change service requests, other system vendor contracts.
Recommendation: The Department and Office should clearly document the reasoning and analysis used to determine and manage the effect of delays on the project.
2. DAMAGES NEGOTIATIONS NOT FULLY DOCUMENTED
The North Carolina Department of Health and Human Services (Department) and its Office of Medicaid Management Information System Services (Office) did not fully document the damages negotiations with Computer Sciences Corporation (Vendor). 8
FINDINGS AND RECOMMENDATIONS
Specifically, the Department did not document how responsibility for delays was determined or how damages were calculated.
The Department included penalties for nonperformance in its contract with the Vendor. The contract allowed the Department to charge the Vendor for the costs of operating the current system and for Office operations if the new system was not delivered on time. Section 30.44.2 of the original contract states:2
“If the State determines in its sole but reasonable discretion that the Replacement MMIS [Medicaid Management Information System] has not become operational substantially as a whole, or has not begun generating official data of record by the Targeted Operational Start Date [August 2011], then the Vendor will be liable for all costs incurred by the State to continue operation of those elements of the Legacy MMIS+ including the cost of continued operation of OMMISS [Office of Medicaid Management Information System Services] which must, in the State’s reasonable opinion, remain in operation (including possibly all elements of the Legacy MMIS+), operational, less the amount that the State would have paid the Vendor had the Replacement MMIS been timely made substantially operational as a whole.”
However, the contract was not clear about how the damages would be calculated. As a result, Office management found it necessary to negotiate the amount of damages for which the Vendor was liable. Office management stated, “It is important to note that these were negotiations, as both parties had differing interpretations on how the contract called for the damages to be calculated.”
First, the Office had to determine how much of a 22-month system implementation delay was due to “schedule slippage.” To determine the amount of slippage, the Office required the Vendor to prepare schedules and analysis. The Vendor’s analysis determined that only six months of the 22-month implementation delay was due to schedule slippage. Office management said that it performed “deep analysis” of the Vendor’s schedules and determined that this amount was reasonable. Although the auditors asked for documentation, the Office did not provide documentation of its independent analysis to show how the Office verified that six months was reasonable.
Next, the Office had to negotiate how much of the six-month slippage was the Vendor’s responsibility. Office management stated, “During negotiations, each side expectedly had their own version of what caused the six-month slippage. It was finally agreed upon that CSC [Vendor] bore 2/3 (four months) of the responsibility for the slippage.” Office management said, “For negotiating purposes, the State owned 2 months of the delay (to account for 200 legacy CSRs [change service requests] which were included in the technical design) and CSC [Vendor] owned 4 months.”
The Office assessed the Vendor for four months of damages in the amount of $10 million received as monthly credits of $166,666 to the operational phase of the project beginning in 2013.
2 Section 30.44.2 of RFP 30-DHHS-1228-08-R.
9
FINDINGS AND RECOMMENDATIONS
Office management said the $10 million negotiated settlement covers the estimated damages. Office management stated, “Based on February 2011 estimates, the Department will, in fact, over-recover damages in the amount of approximately $748,472.”
However, the Office does not have documentation that clearly explains its reasoning for including or excluding items from the damages calculation. For example, there is no documentation to explain why about $12.7 million of additional legacy system costs were not included in the negotiations. These costs could meet the definition of “all costs incurred” by the State to continue operating the legacy system as stated in the original contract. Table 2 below lists items that the auditors identified as operational costs and other potential damages.
Table 2
4 Months of Operations Legacy System Contract - Medicaid claims processing 16,058,964$ Mental Health Claims Payment Contract1,878,996 NC Health Choice Processing (2 months)700,000 Cost of Federally Required HIPPA 5010 Update1,713,771 Cost of Federally Required ICD10 Update623,960 IBM Fraud and Abuse914,739 Purchase of Medical Care Services (DPH)400,000 BlueCross BlueShield - NC Health Choice Medical Claims Pro2,638,146 Medco - NC Health Choice Prescriptions (2 months)2,659,062 ACS "Smart PA" Prior Authorization and Drug Utilization Cos1,178,440 HP Preadmission Screening and Annual Assessment Review853,044 Ingenix Fraud and Abuse389,801 Ingenix DRIVE (Data Warehouse)325,364 ACS State Healthcare Pharmary PA Preauthorization1,119,260 Total cost of Legacy System31,453,547 Estimated continued Office operational cost3,688,964 Total estimated operational costs of 4 month schedule slippage35,142,511$ Cost for Operations of Replacement System per Table Z (12,468,847)$ Total Amount of Auditor Identfied Delay Costs22,673,664$ Penalty Assessed On Vendor(10,000,000) Other Potential Penalty Amounts12,673,664$ Source: Vendor contracts and amendments, change service requests, OSBM budget documents 10
FINDINGS AND RECOMMENDATIONS
Additionally, the damage estimate is just an estimate that could later prove to be inaccurate. The Office stated,
“First, to achieve an accurate cost of the damages related to the Targeted Operational Start Date, damages would have to be measured after-the-fact. The most accurate figure could only be calculated after all relevant costs are recorded for the ‘damage assessment period’. In the case of the $10,000,000 damages being assessed to CSC [Vendor] in contract amendment #2, those damages were negotiated many months prior to the occurrence of the ‘damage assessment period’ and thus constitute projected damages.”
However, the terms of the contract amendment will prevent the State from obtaining additional amounts if the Office’s estimated damages prove to be incorrect or if the Office later identifies other damages that should have been included in the negotiations. Section 1.15 of contract amendment two states in part:
“Each Party shall have no liability to the other to the extent that such liability arises, or is asserted to arise, from a Party’s failure to timely act in accordance with any Integrated Master Schedule adopted by the Parties prior to the effective date of this Amendment.”
Consequently, it is important to have documentation that explains managements reasoning for the decisions made.
Recommendation: The Department and Office should document its methodology and reasoning in determining how penalties were assessed on vendors. The Department and Office should also retain all documentation used to plan and conduct negotiations with vendors.
3. MONITORING DID NOT IDENTIFY UNAUTHORIZED CHANGES
The Office of Medicaid Management Information System Services (Office) at the North Carolina Department of Health and Human Services (Department) did not timely identify about $30.4 million of changes that the Computer Sciences Corporation (Vendor) made to the design, development, and integration phase of the replacement Medicaid Management Information System project.
T
he Vendor:

Performed scope changes without direction from an Office contracting officer;

Made changes to system requirements based on informal requests; and
 Accepted change requests from personnel who were not authorized to make system changes.
The National State Auditors Association’s “Best Practices in Contracting for Services” states:
11
FINDINGS AND RECOMMENDATIONS
12
“Contract monitoring is an essential part of the contracting process. Monitoring should ensure that contractors comply with the terms, performance expectations are achieved, and any problems are identified and resolved.”
Because the Office’s monitoring procedures did not identify the unauthorized changes, the Office was not aware that the design of the system being built differed from the system that had been approved. In fact, the Department was not aware of some of the changes for more than a year after the changes were made.
However, the contract terms protected the State from paying for unauthorized system changes. Sections 30.6.4 and 30.6.4k of the contract state:
“Vendor shall not be entitled to compensation for any services other than or in addition to the Services (as defined herein below) unless the change process is followed, which process the Vendor shall propose in its Change Management Plan.”
T
he Department rejected some of the unauthorized changes and accepted others. Because the changes were not pre-approved, the Department had to negotiate the price of the changes after they were made. The Department negotiated and agreed to the following prices:

$10.8 million for design “enhancements” that were not approved by the Department and were beyond the scope of the contract; and
 $4.2 million for design changes that were not part of the baseline design.
Department management did not agree that the unauthorized changes were a problem. Department management stated that some of the changes were requirements that the Vendor would have made at a later date anyway, so the issue is really only one of timing. Other changes were system enhancements that it was more efficient for the vendor to make without seeking approval.
However, failure to identify unauthorized changes in a timely manner increases the risk that the State will not receive the system that it contracted for. Also, it increases the risk that the State could incur additional costs and need additional time to test unauthorized changes.
Recommendation: The Department and Office should ensure that monitoring procedures are effective for identifying deviations from the project plan. For efficiency, management could establish, document, and communicate to the vendor types of changes that the vendor can make without prior approval. [ This Page Left Blank Intentionally ] 13
APPENDIX
Auditor’s Response
We are required to provide additional explanation when an agency’s response could potentially cloud an issue, mislead the reader, or inappropriately minimize the importance of our findings.
Generally Accepted Government Auditing Standards state,
When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditor’s recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement.
While we recognize that an audit report can result in a lot of defensiveness and emotion, we want to make sure the reader stays focused on the issues. Therefore, to ensure the availability of complete and accurate information and in accordance with Generally Accepted Government Auditing Standards, we offer the following clarifications.
The Department’s response indicates that it would have preferred our audit to focus on potential future Medicaid Management Information System (MMIS) operational savings, the effect of additional federal funds on the state’s economy, and the Department’s reported savings from software acquired during the previous MMIS implementation attempt.
However, that was not the purpose of our audit.
Our audit simply asked (1) what caused the delay in implementing the new MMIS, (2) were the causes reasonably foreseeable by Department management as risks to the project, and (3) if the risks were reasonably foreseeable, did Department management have controls in place to address those risks.
We found that the MMIS implementation was delayed for reasons that were reasonably foreseeable by Department management. However, Department management did not clearly document its analysis or the reasoning used to decide on its response to those risks. Consequently, we recommended that the Department should clearly document its analysis and reasoning for management decisions in the future.
Why clear documentation? Because clear documentation and disclosure of government manager’s reasoning, analysis, and decisions help make state government operations transparent to North Carolina’s citizens and provide a mechanism to hold government managers accountable. As stated in the Government Auditing Standards, “The principles of transparency and accountability for the use of public resources are key to our nation’s governing processes.”
Apparently, the Department disagrees.
14
APPENDIX
15
The Department’s response also claims that the Office of the State Auditor (OSA) disregarded state law by providing a draft audit report that did not include the Department’s response to the General Assembly.
The Department is incorrect.
North Carolina General Statute 147-64.6 says, “the auditee’s written response shall be included in the final report if received within 30 days from receipt of the draft report.” [emphasis added] What was shared with the Legislature on December 13, 2011, was not a final report. Therefore, OSA was not required to include the auditee’s response. However, OSA was required by N.C.G.S. § 147-64.5 and N.C.G.S. § 120-19 to cooperate with the General Assembly by providing upon their request the information OSA obtained in this audit as well as the Auditor’s recommendations based on this information.
The Department’s response also claims that the audit team did not have “sufficient information technology and project management experience and knowledge” to conduct the audit in accordance with Government Auditing Standards.
The Department is incorrect.
The audit team consisted of an external specialist and OSA staff that had the technical knowledge, skills, and experience necessary to conduct the audit. The audit team’s certifications, education, and experience, included but were not limited to: Certified Information Systems Auditor (CISA), Project Management Professional (PMP), Certified Public Accountant (CPA), Master of Science (Computer Information Systems), Master of Business Administration (MBA), Bachelor of Engineering, 32 years of government auditing experience, and 12 years of experience in information technology governance, risk, and compliance.
The Department’s response also claims that the audit team was not independent as required by the Government Auditing Standards because a member of the audit team was formerly employed by the Department as a contract manager.
The Department is incorrect.
The overarching principles of the Government Auditing Standards’ independence standards are that an auditor should not (1) have a financial interest in the audit subject matter, or (2) audit their own work.
All audit team members were independent. None of the audit team members had any financial interest in the MMIS project. Furthermore, none of the audit team members had any involvement in contracting for or managing the current MMIS implementation project.
The Governor, Legislators, and the citizens of North Carolina should consider the clarification provided above when evaluating the Department’s response to the audit findings. [ This Page Left Blank Intentionally ] 16
APPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIX47
APPENDIX[ This Page Left Blank Intentionally ] 48
ORDERING INFORMATION
Audit reports issued by the Office of the State Auditor can be obtained from the web site at www.ncauditor.net. Also, parties may register on the web site to receive automatic email notification whenever reports of interest are issued. Otherwise, copies of audit reports may be obtained by contacting the:
Office of the State Auditor
State of North Carolina
2 South Salisbury Street
20601 Mail Service Center
Raleigh, North Carolina 27699-0601
Telephone: 919/807-7500
Facsimile: 919/807-7647
49

Click tabs to swap between content that is broken into logical sections.

STATE OF NORTH CAROLINA
PERFORMANCE AUDIT
DEPARTMENT OF HEALTH AND HUMAN SERVICES – OFFICE OF MEDICAID MANAGEMENT INFORMATION SYSTEM SERVICES
REPLACEMENT MMIS IMPLEMENTATION
JANUARY 2012
OFFICE OF THE STATE AUDITOR
BETH A.WOOD, CPA
STATE AUDITORPERFORMANCE AUDIT
DEPARTMENT OF HEALTH AND HUMAN SERVICES – OFFICE OF MEDICAID MANAGEMENT INFORMATION SYSTEM SERVICES
REPLACEMENT MMIS IMPLEMENTATION
JANUARY 2012Beth A. Wood, CPA
State Auditor
STATE OF NORTH CAROLINA
Office of the State Auditor
2 S. Salisbury Street
20601 Mail Service Center
Raleigh, NC 27699-0601
Telephone: (919) 807-7500
Fax: (919) 807-7647
Internet
http://www.ncauditor.net
January 10, 2012
The Honorable Beverly Perdue, Governor Members of the North Carolina General Assembly Lanier M. Cansler, Secretary, Department of Health and Human Services
Angeline Sligh, Director, Office of Medicaid Management Information System Services
Ladies and Gentlemen:
We are pleased to submit this performance audit titled “Department of Health and Human Services – Office of Medicaid Management Information System Services, Replacement MMIS Implementation.” The audit objective was to determine if the Office of Medicaid Management Information System Services established controls to provide reasonable assurance that the replacement Medicaid Management Information System project would be fully implemented on time and on budget, after considering required federal and state mandated changes. Secretary Cansler reviewed a draft copy of this report. His written comments are included in the appendix.
The Office of the State Auditor initiated this audit to identify improvement opportunities for the procurement and oversight of the Medicaid Management Information System implementation project.
We wish to express our appreciation to the staff of the Office of Medicaid Management Information System Services for the courtesy, cooperation, and assistance provided us during the audit.
Respectfully submitted,
Beth A. Wood, CPA State Auditor TABLE OF CONTENTS
PAGE
SUMMARY................................................................................................................................2
INTRODUCTION
BACKGROUND..................................................................................................................4
OBJECTIVES, SCOPE, AND METHODOLOGY......................................................................5
FINDINGS AND RECOMMENDATIONS..........................................................................................6
APPENDIX
AUDITOR’S RESPONSE...................................................................................................14
DEPARTMENT RESPONSE...............................................................................................17
ORDERING INFORMATION........................................................................................................49 PERFORMANCE AUDIT
SUMMARY
PURPOSE
This audit report evaluates whether the Department of Health and Human Services (Department) - Office of Medicaid Management Information System Services’ (Office) established controls to provide reasonable assurance that the replacement Medicaid Management Information System project would be fully implemented on time and on budget, after considering required federal and State mandated changes. The report makes recommendations so Department and Office management can take appropriate corrective action.
RESULTS
Management lacks documentation that clearly explains the evaluations and decisions that impact the implementation of the Medicaid Management Information System.
The Medicaid Management Information System is expected to be completed about 22 months late with total overall costs exceeding estimates by $320.3 million. The reasons for the costs changes include schedule delays, federal and state mandates, and two additional years of operations that the Office contracted for with the Vendor.
The Office did not fully document its analysis of the impact that schedule delays had on the system implementation. The system has experienced delays for three reasons. First, the Vendors planned use 73% of the programming code from its New York system project to build North Carolina’s system, and later found that it could only use about 32% of the code. Second, the Vendor experienced higher than expected staff turnover. And third, the length of time taken to review and approve project designs and deliverables exceeded budgeted amounts. Office management contends that only six months of delay in the replacement system go-live date is attributable to “schedule-slippage” or delays. However, the Office did not document its analysis or the reasoning used to determine the impact of the delays on the project.
Also, the Department and Office did not fully document how it determined the amount of damages for which the vendor was responsible. The contract did not define how responsibility for delays would be determined or how damages would be calculated. As a result, the Office found it necessary to negotiate the damage assessment with the Vendor. The Office required the Vendor to perform an analysis to determine how much of the 22-month implementation delay was due to “schedule slippage.” Office management said it performed “deep analysis” of the Vendor prepared schedules. However, the Office did not fully document its reasoning and analysis for determining the damages. The Office then negotiated with the Vendor to determine how much of the slippage was caused by the Vendor. The Office agreed upon four months of damages. The Office assessed the Vendor $10 million based on estimated damages. The Office also amended the contract so that neither party can obtain additional damages if those estimates later prove to be incorrect.
2
PERFORMANCE AUDIT
3
Lastly, the Office did not timely identify about $30.4 million of changes that the Vendor made to the design, development, and integration phase of the replacement Medicaid Management Information System project. Because the Office’s monitoring procedures did not identify the unauthorized changes, the Office was not aware that the design of the system being built differed from the system that had been approved. In fact, the Department was not aware of some of the changes for more than a year after the changes were made. The Office refused to pay for some of the changes and accepted others. The Office negotiated a price of $15 million for the changes it accepted.
RECOMMENDATIONS
The Department and Office should clearly document the reasoning and analysis used to determine and manage the effect of delays on the project.
The Department and Office should document its methodology and reasoning in determining how penalties were assessed on vendors. The Department and Office should also retain all documentation used to plan and conduct negotiations with vendors.
The Department and Office should ensure that monitoring procedures are effective for identifying deviations from the project plan. For efficiency, management could establish, document, and communicate to the vendor types of changes that the vendor can make without prior approval.
AGENCY’S RESPONSE
The Agency’s response is included in the appendix. PERFORMANCE AUDIT
INTRODUCTION
BACKGROUND
North Carolina currently contracts with Hewlett Packard Enterprise Services to operate the State’s Medicaid Management Information System and process Medicaid claims payments. The computer system that the Department of Health and Human Services (Department) uses processes and pays over $10 billion a year in health care claims for about 1.5 million Medicaid program participants. North Carolina purchased the current system from Electronic Data Systems in 1988.
In April 2004, the Department awarded a $171 million contract to Affiliated Computer Services (ACS) to replace the existing system and serve as the new fiscal agent for the State’s Medicaid Program. The Department also created the North Carolina Office of Medicaid Management Information System Services (Office) to provide oversight and manage activities for the procurement and implementation of support systems and services for the replacement System.
ACS did not perform in accordance with the contract. ACS was to complete the design, development, and installation phase of the contract by the summer of 2006. In March 2006, the Department granted a request to extend the completion date to August 2007. However, the Department denied a second ACS request to increase the contract cost and extend the design, development, and installation phase completion date to November 2007. After paying about $5.6 million in project costs, the Department terminated the ACS contract in July 2006. In response, ACS filed a wrongful termination and breach of contract lawsuit against the State. The civil court case was settled in January 2007 at an additional cost of $10.5 million to the State. In the settlement, ACS also agreed to install a suite of software to help the state’s Medicaid program generate savings.
In 2009, the Department began its second attempt at replacing the system. The Department awarded a $265 million contract to Computer Science Services, Inc (Vendor) in January 2009. The contract established a fully-implemented go-live date of August 2011 for the new system. However, in July 2010 the Vendor notified the Department that the Vendor would not be able to meet the established go-live date and requested an extension. After lengthy negotiations, the Department approved a contract amendment in July 2011 that granted an 18-22 month extension to build the system, increased contract price from $265 million to $494 million (86%), and extended the operational contract an additional two years.
The federal government is expected to fund up to 90% of the design, development, and installation cost for the new system.
4
PERFORMANCE AUDIT
OBJECTIVES, SCOPE, AND METHODOLOGY
The audit objective was to determine if the Office of Medicaid Management Information System Services (Office) has established controls that provide reasonable assurance that the replacement Medicaid Management Information System project would be fully implemented on time and on budget, after considering required federal and state mandated changes.
The Office of the State Auditor initiated this audit to identify improvement opportunities for the procurement and oversight of the system implementation project.
The audit scope included a review of project management practices and vendor contract information surrounding the current system replacement effort beginning January 1, 2009 through July 31, 2011. We conducted the fieldwork from February 2011 to December 2011.
To determine current management practices, we conducted interviews with Department of Health and Human Services (Department) and Office management, reviewed policies and procedures related to the replacement system project management, and reviewed Department and Office management meeting minutes.
To evaluate management controls, we compared Office project management practices to recommended best practices issued by the Project Management Institute and the IT Governance Institute.
Because of the test nature and other inherent limitations of an audit, together with limitations of any system of internal and management controls, this audit would not necessarily disclose all performance weaknesses or lack of compliance.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
We conducted this audit under the authority vested in the State Auditor of North Carolina by North Carolina General Statute 147.64.
5
FINDINGS AND RECOMMENDATIONS
1. IMPACT OF DELAYS NOT FULLY DOCUMENTED
The Office of Medicaid Management Information System Services (Office) at the North Carolina Department of Health and Human Services (Department) did not fully document its analysis of the impact that schedule delays had on the system implementation.
Schedule Delays
The Office and the Computer Sciences Corporation (Vendor) described three sources of schedule delays that impacted the system implementation.
One source of project delay was the Vendor’s planned use 73% of the programming code from its New York system project to build North Carolina’s system. In January 2009, the Vendor was awarded the contract and began work on North Carolina’s system. In June 2010, the Vendor found that it could only use about 32% of the code from the New York project for North Carolina. Consequently, unplanned additional time and labor is necessary to complete North Carolina’s system.
In a March 10, 2011, interview, the current State CIO said he would never have allowed the proposal to be accepted based on the estimated percentage of usable code. The State CIO said that he had experience with other information technology vendors making similar estimates and not being able to deliver.
The Office accepted the Vendor’s proposed use of 73% of the New York project code without documenting any independent analysis that indicates the proposal was reasonable. Department management said it was not possible to determine whether the Vendor could use the New York project programming code until after the system was designed and programming was started. Furthermore, Department management said that the additional programming time and labor needed to complete the system does not cost the State anything because the State has a fixed cost contract.
A second source of project delay was higher than expected Vendor staff turnover. The risk of high staff turnover and planned mitigation actions were listed in the Vendor’s proposal. The risk of high staff turnover was also documented in the project risk register1 on May 2, 2009. The vendor reported high staff turnover to the project oversight committee beginning in April 2010. However, the staff turnover risk was not transferred to the issue register and actions taken to address the issue until Oct
A third source of project delay was the length of time taken to review and approve project designs and deliverables. The Vendor and the Office stated that review and approval process sometimes exceeded the two cycles of review that were budgeted. Vendor personnel stated the review process resulted in numerous cycles of technical design and development being performed. Additionally, Office personnel stated that the Vendor
1 Risks are listed in the projects risk register. When events occur and the risks are realized, the risks become issues and are documented in the issue register.
6
FINDINGS AND RECOMMENDATIONS
wanted to meet its deliverable due date, so it would sometimes submit deliverables that were not complete. Office personnel said this added more review tim
Office documentation shows that on average, the deliverables required review and approval process took about 2.1 cycles. However, analysis of the docum
The project delays not only extended the amount of time needed to complete the system, they resulted in additional costs to the State. Extending the project schedule requires the State to continue using the legacy system. As a result, the State incurs additional cost because the legacy system’s opera
For example, the State will incur $90.6 million in unplanned additional costs during a 22 month contract extension to modify the legacy system, operate the legacy system, and keep the Office operational. These costs would have be
Currently, the replacement system is expected to be completed about 22 m
The new system’s c
to $494.9 million. Office management contends that only $67 million of the $229.7 million in additional contract costs and only six months of the 22-month delay in the replacement system go-live date is attributable to “schedule-slippage” or delays. The conclusions are based on schedules and analysis that the Office asked the Vendor to prepare
said that it performed “deep analysis” of the Vendor’s schedules. However, the Office did not document its independent analysis or document
reasoning used to determine the impact of the delays described above on the project. The reasoning and analysis are needed to accurately separate the impact of the schedule delays from the impact of federal and state mandates and other changes to the system. For example, the Center for Medicare and Medicaid Services (CMS) published proposals for two new major Medicaid regulations (ICD-10 and 5010) in August 2008, just four months before the Department awarded the System contract to CMS. Other cost changes
7
FINDINGS AND RECOMMENDATIONS
Change In Costs
A breakdown of the additional costs totaling $320.3 million is listed in Table 1 below.
Table 1
Original EstimateAdditonal CostsNew Estimate Legacy System:Cost Difference Between Current And New Vendor Operations Contracts-$ 37.2$ 37.2$ Application for New Federal Mandates- 2.3 2.3 Application for Mental Health Claims Payments- 10.3 10.3 Application for NC Health Choice- 7.0 7.0 Application for Nursing Homes- 4.7 4.7 Other Legacy Component Costs- 29.1 29.1 Total Additional Legacy Operational Costs-$ 90.6$ 90.6$ New System:System Design and Build phase68.8$ 77.8$ 146.6$ New Federal Mandates- 33.2 33.2 Operations Phase180.5 71.3 251.8 Application for New Federal Health Reform- 15.3 15.3 Application for Provider Enrollment10.7 11.4 22.1 Application for Prescription Drug Use Review4.7 2.9 7.6 Turnover Phase0.5 - 0.5 Other System Enhancements and Changes- 17.8 17.8 Total Additional Project Costs265.2$ 229.7$ 494.9$ Total Change in Costs265.2$ 320.3$ 585.5$ Change in Project Costs(in millions)Source: Vendor original and amended contract pricing Table Z, change service requests, other system vendor contracts.
Recommendation: The Department and Office should clearly document the reasoning and analysis used to determine and manage the effect of delays on the project.
2. DAMAGES NEGOTIATIONS NOT FULLY DOCUMENTED
The North Carolina Department of Health and Human Services (Department) and its Office of Medicaid Management Information System Services (Office) did not fully document the damages negotiations with Computer Sciences Corporation (Vendor). 8
FINDINGS AND RECOMMENDATIONS
Specifically, the Department did not document how responsibility for delays was determined or how damages were calculated.
The Department included penalties for nonperformance in its contract with the Vendor. The contract allowed the Department to charge the Vendor for the costs of operating the current system and for Office operations if the new system was not delivered on time. Section 30.44.2 of the original contract states:2
“If the State determines in its sole but reasonable discretion that the Replacement MMIS [Medicaid Management Information System] has not become operational substantially as a whole, or has not begun generating official data of record by the Targeted Operational Start Date [August 2011], then the Vendor will be liable for all costs incurred by the State to continue operation of those elements of the Legacy MMIS+ including the cost of continued operation of OMMISS [Office of Medicaid Management Information System Services] which must, in the State’s reasonable opinion, remain in operation (including possibly all elements of the Legacy MMIS+), operational, less the amount that the State would have paid the Vendor had the Replacement MMIS been timely made substantially operational as a whole.”
However, the contract was not clear about how the damages would be calculated. As a result, Office management found it necessary to negotiate the amount of damages for which the Vendor was liable. Office management stated, “It is important to note that these were negotiations, as both parties had differing interpretations on how the contract called for the damages to be calculated.”
First, the Office had to determine how much of a 22-month system implementation delay was due to “schedule slippage.” To determine the amount of slippage, the Office required the Vendor to prepare schedules and analysis. The Vendor’s analysis determined that only six months of the 22-month implementation delay was due to schedule slippage. Office management said that it performed “deep analysis” of the Vendor’s schedules and determined that this amount was reasonable. Although the auditors asked for documentation, the Office did not provide documentation of its independent analysis to show how the Office verified that six months was reasonable.
Next, the Office had to negotiate how much of the six-month slippage was the Vendor’s responsibility. Office management stated, “During negotiations, each side expectedly had their own version of what caused the six-month slippage. It was finally agreed upon that CSC [Vendor] bore 2/3 (four months) of the responsibility for the slippage.” Office management said, “For negotiating purposes, the State owned 2 months of the delay (to account for 200 legacy CSRs [change service requests] which were included in the technical design) and CSC [Vendor] owned 4 months.”
The Office assessed the Vendor for four months of damages in the amount of $10 million received as monthly credits of $166,666 to the operational phase of the project beginning in 2013.
2 Section 30.44.2 of RFP 30-DHHS-1228-08-R.
9
FINDINGS AND RECOMMENDATIONS
Office management said the $10 million negotiated settlement covers the estimated damages. Office management stated, “Based on February 2011 estimates, the Department will, in fact, over-recover damages in the amount of approximately $748,472.”
However, the Office does not have documentation that clearly explains its reasoning for including or excluding items from the damages calculation. For example, there is no documentation to explain why about $12.7 million of additional legacy system costs were not included in the negotiations. These costs could meet the definition of “all costs incurred” by the State to continue operating the legacy system as stated in the original contract. Table 2 below lists items that the auditors identified as operational costs and other potential damages.
Table 2
4 Months of Operations Legacy System Contract - Medicaid claims processing 16,058,964$ Mental Health Claims Payment Contract1,878,996 NC Health Choice Processing (2 months)700,000 Cost of Federally Required HIPPA 5010 Update1,713,771 Cost of Federally Required ICD10 Update623,960 IBM Fraud and Abuse914,739 Purchase of Medical Care Services (DPH)400,000 BlueCross BlueShield - NC Health Choice Medical Claims Pro2,638,146 Medco - NC Health Choice Prescriptions (2 months)2,659,062 ACS "Smart PA" Prior Authorization and Drug Utilization Cos1,178,440 HP Preadmission Screening and Annual Assessment Review853,044 Ingenix Fraud and Abuse389,801 Ingenix DRIVE (Data Warehouse)325,364 ACS State Healthcare Pharmary PA Preauthorization1,119,260 Total cost of Legacy System31,453,547 Estimated continued Office operational cost3,688,964 Total estimated operational costs of 4 month schedule slippage35,142,511$ Cost for Operations of Replacement System per Table Z (12,468,847)$ Total Amount of Auditor Identfied Delay Costs22,673,664$ Penalty Assessed On Vendor(10,000,000) Other Potential Penalty Amounts12,673,664$ Source: Vendor contracts and amendments, change service requests, OSBM budget documents 10
FINDINGS AND RECOMMENDATIONS
Additionally, the damage estimate is just an estimate that could later prove to be inaccurate. The Office stated,
“First, to achieve an accurate cost of the damages related to the Targeted Operational Start Date, damages would have to be measured after-the-fact. The most accurate figure could only be calculated after all relevant costs are recorded for the ‘damage assessment period’. In the case of the $10,000,000 damages being assessed to CSC [Vendor] in contract amendment #2, those damages were negotiated many months prior to the occurrence of the ‘damage assessment period’ and thus constitute projected damages.”
However, the terms of the contract amendment will prevent the State from obtaining additional amounts if the Office’s estimated damages prove to be incorrect or if the Office later identifies other damages that should have been included in the negotiations. Section 1.15 of contract amendment two states in part:
“Each Party shall have no liability to the other to the extent that such liability arises, or is asserted to arise, from a Party’s failure to timely act in accordance with any Integrated Master Schedule adopted by the Parties prior to the effective date of this Amendment.”
Consequently, it is important to have documentation that explains managements reasoning for the decisions made.
Recommendation: The Department and Office should document its methodology and reasoning in determining how penalties were assessed on vendors. The Department and Office should also retain all documentation used to plan and conduct negotiations with vendors.
3. MONITORING DID NOT IDENTIFY UNAUTHORIZED CHANGES
The Office of Medicaid Management Information System Services (Office) at the North Carolina Department of Health and Human Services (Department) did not timely identify about $30.4 million of changes that the Computer Sciences Corporation (Vendor) made to the design, development, and integration phase of the replacement Medicaid Management Information System project.
T
he Vendor:

Performed scope changes without direction from an Office contracting officer;

Made changes to system requirements based on informal requests; and
 Accepted change requests from personnel who were not authorized to make system changes.
The National State Auditors Association’s “Best Practices in Contracting for Services” states:
11
FINDINGS AND RECOMMENDATIONS
12
“Contract monitoring is an essential part of the contracting process. Monitoring should ensure that contractors comply with the terms, performance expectations are achieved, and any problems are identified and resolved.”
Because the Office’s monitoring procedures did not identify the unauthorized changes, the Office was not aware that the design of the system being built differed from the system that had been approved. In fact, the Department was not aware of some of the changes for more than a year after the changes were made.
However, the contract terms protected the State from paying for unauthorized system changes. Sections 30.6.4 and 30.6.4k of the contract state:
“Vendor shall not be entitled to compensation for any services other than or in addition to the Services (as defined herein below) unless the change process is followed, which process the Vendor shall propose in its Change Management Plan.”
T
he Department rejected some of the unauthorized changes and accepted others. Because the changes were not pre-approved, the Department had to negotiate the price of the changes after they were made. The Department negotiated and agreed to the following prices:

$10.8 million for design “enhancements” that were not approved by the Department and were beyond the scope of the contract; and
 $4.2 million for design changes that were not part of the baseline design.
Department management did not agree that the unauthorized changes were a problem. Department management stated that some of the changes were requirements that the Vendor would have made at a later date anyway, so the issue is really only one of timing. Other changes were system enhancements that it was more efficient for the vendor to make without seeking approval.
However, failure to identify unauthorized changes in a timely manner increases the risk that the State will not receive the system that it contracted for. Also, it increases the risk that the State could incur additional costs and need additional time to test unauthorized changes.
Recommendation: The Department and Office should ensure that monitoring procedures are effective for identifying deviations from the project plan. For efficiency, management could establish, document, and communicate to the vendor types of changes that the vendor can make without prior approval. [ This Page Left Blank Intentionally ] 13
APPENDIX
Auditor’s Response
We are required to provide additional explanation when an agency’s response could potentially cloud an issue, mislead the reader, or inappropriately minimize the importance of our findings.
Generally Accepted Government Auditing Standards state,
When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditor’s recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement.
While we recognize that an audit report can result in a lot of defensiveness and emotion, we want to make sure the reader stays focused on the issues. Therefore, to ensure the availability of complete and accurate information and in accordance with Generally Accepted Government Auditing Standards, we offer the following clarifications.
The Department’s response indicates that it would have preferred our audit to focus on potential future Medicaid Management Information System (MMIS) operational savings, the effect of additional federal funds on the state’s economy, and the Department’s reported savings from software acquired during the previous MMIS implementation attempt.
However, that was not the purpose of our audit.
Our audit simply asked (1) what caused the delay in implementing the new MMIS, (2) were the causes reasonably foreseeable by Department management as risks to the project, and (3) if the risks were reasonably foreseeable, did Department management have controls in place to address those risks.
We found that the MMIS implementation was delayed for reasons that were reasonably foreseeable by Department management. However, Department management did not clearly document its analysis or the reasoning used to decide on its response to those risks. Consequently, we recommended that the Department should clearly document its analysis and reasoning for management decisions in the future.
Why clear documentation? Because clear documentation and disclosure of government manager’s reasoning, analysis, and decisions help make state government operations transparent to North Carolina’s citizens and provide a mechanism to hold government managers accountable. As stated in the Government Auditing Standards, “The principles of transparency and accountability for the use of public resources are key to our nation’s governing processes.”
Apparently, the Department disagrees.
14
APPENDIX
15
The Department’s response also claims that the Office of the State Auditor (OSA) disregarded state law by providing a draft audit report that did not include the Department’s response to the General Assembly.
The Department is incorrect.
North Carolina General Statute 147-64.6 says, “the auditee’s written response shall be included in the final report if received within 30 days from receipt of the draft report.” [emphasis added] What was shared with the Legislature on December 13, 2011, was not a final report. Therefore, OSA was not required to include the auditee’s response. However, OSA was required by N.C.G.S. § 147-64.5 and N.C.G.S. § 120-19 to cooperate with the General Assembly by providing upon their request the information OSA obtained in this audit as well as the Auditor’s recommendations based on this information.
The Department’s response also claims that the audit team did not have “sufficient information technology and project management experience and knowledge” to conduct the audit in accordance with Government Auditing Standards.
The Department is incorrect.
The audit team consisted of an external specialist and OSA staff that had the technical knowledge, skills, and experience necessary to conduct the audit. The audit team’s certifications, education, and experience, included but were not limited to: Certified Information Systems Auditor (CISA), Project Management Professional (PMP), Certified Public Accountant (CPA), Master of Science (Computer Information Systems), Master of Business Administration (MBA), Bachelor of Engineering, 32 years of government auditing experience, and 12 years of experience in information technology governance, risk, and compliance.
The Department’s response also claims that the audit team was not independent as required by the Government Auditing Standards because a member of the audit team was formerly employed by the Department as a contract manager.
The Department is incorrect.
The overarching principles of the Government Auditing Standards’ independence standards are that an auditor should not (1) have a financial interest in the audit subject matter, or (2) audit their own work.
All audit team members were independent. None of the audit team members had any financial interest in the MMIS project. Furthermore, none of the audit team members had any involvement in contracting for or managing the current MMIS implementation project.
The Governor, Legislators, and the citizens of North Carolina should consider the clarification provided above when evaluating the Department’s response to the audit findings. [ This Page Left Blank Intentionally ] 16
APPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIXAPPENDIX47
APPENDIX[ This Page Left Blank Intentionally ] 48
ORDERING INFORMATION
Audit reports issued by the Office of the State Auditor can be obtained from the web site at www.ncauditor.net. Also, parties may register on the web site to receive automatic email notification whenever reports of interest are issued. Otherwise, copies of audit reports may be obtained by contacting the:
Office of the State Auditor
State of North Carolina
2 South Salisbury Street
20601 Mail Service Center
Raleigh, North Carolina 27699-0601
Telephone: 919/807-7500
Facsimile: 919/807-7647
49